The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of SLES

vulnerability bulletin CVE-2015-6563 CVE-2015-6564 CVE-2015-6565

OpenSSH: three vulnerabilities

Synthesis of the vulnerability

An authenticated attacker can use several vulnerabilities of OpenSSH.
Impacted products: Blue Coat CAS, DCFM Enterprise, Brocade Network Advisor, Brocade vTM, BIG-IP Hardware, TMOS, Fedora, FreeBSD, AIX, Copssh, NSM Central Manager, NSMXpress, OpenBSD, OpenSSH, pfSense, RHEL, SUSE Linux Enterprise Desktop, SLES.
Severity: 2/4.
Creation date: 12/08/2015.
Revision date: 03/09/2015.
Identifiers: BFS-SA-2015-002, BSA-2015-009, CERTFR-2017-AVI-012, CVE-2015-6563, CVE-2015-6564, CVE-2015-6565, FEDORA-2015-13520, FreeBSD-SA-15:22.openssh, JSA10774, RHSA-2015:2088-06, RHSA-2016:0741-01, SA104, SOL17263, SUSE-SU-2015:1581-1, VIGILANCE-VUL-17643.

Description of the vulnerability

Several vulnerabilities were announced in OpenSSH.

A local attacker can write a message (or ANSI sequences) on the tty of other users, because the tty is world-writable. It is also possible to use the TIOCSTI ioctl, in order to inject shell commands. [severity:2/4; CVE-2015-6565]

On OpenSSH Portable, a local attacker can use PAM and compromise the pre-authentication process, in order to impersonate other users. [severity:2/4; BFS-SA-2015-002, CVE-2015-6563]

On OpenSSH Portable, an attacker can compromise the pre-authentication process and force the usage of a freed memory area in PAM support, in order to trigger a denial of service, and possibly to run code. [severity:2/4; BFS-SA-2015-002, CVE-2015-6564]
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability CVE-2015-5239

QEMU: denial of service via VNC_MSG_CLIENT_CUT_TEXT

Synthesis of the vulnerability

An attacker, who is privileged in a guest system, can send the VNC_MSG_CLIENT_CUT_TEXT message to QEMU, in order to trigger a denial of service on the host system.
Impacted products: Debian, Fedora, openSUSE, openSUSE Leap, QEMU, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity: 1/4.
Creation date: 03/09/2015.
Identifiers: CVE-2015-5239, DLA-573-1, DLA-574-1, FEDORA-2015-015aec3bf2, FEDORA-2015-efc1d7ba5e, openSUSE-SU-2015:1964-1, openSUSE-SU-2015:2003-1, openSUSE-SU-2015:2249-1, openSUSE-SU-2016:0995-1, SUSE-SU-2015:1853-1, SUSE-SU-2015:1894-1, SUSE-SU-2015:1908-1, SUSE-SU-2015:1952-1, SUSE-SU-2016:0658-1, SUSE-SU-2016:1560-1, SUSE-SU-2016:1698-1, SUSE-SU-2016:1703-1, SUSE-SU-2016:1785-1, USN-2745-1, VIGILANCE-VUL-17805.

Description of the vulnerability

The QEMU product implements a VNC display driver in the ui/vnc.c file.

A VNC client can send the VNC_MSG_CLIENT_CUT_TEXT message, which requests a region text cut. However, if the requested size is too large, Qemu consumes a large memory amount.

An attacker, who is privileged in a guest system, can therefore send the VNC_MSG_CLIENT_CUT_TEXT message to QEMU, in order to trigger a denial of service on the host system.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability bulletin CVE-2015-5722

BIND: denial of service via DNSSEC Key

Synthesis of the vulnerability

An attacker can query BIND for a domain containing a malformed DNSSEC key, to force an assertion error in buffer.c, in order to trigger a denial of service.
Impacted products: Debian, BIG-IP Hardware, TMOS, Fedora, FreeBSD, HP-UX, AIX, BIND, openSUSE, Solaris, RHEL, Slackware, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity: 2/4.
Creation date: 03/09/2015.
Identifiers: bulletinjul2015, c04800156, c04891218, c04923105, CERTFR-2015-AVI-389, CVE-2015-5722, DSA-3350-1, FEDORA-2015-14958, FEDORA-2015-15041, FEDORA-2015-15061, FreeBSD-SA-15:23.bind, HPSBUX03511, HPSBUX03522, HPSBUX03529, openSUSE-SU-2015:1597-1, openSUSE-SU-2015:1667-1, RHSA-2015:1705-01, RHSA-2015:1706-01, RHSA-2015:1707-01, RHSA-2016:0078-01, RHSA-2016:0079-01, SOL17181, SSA:2015-245-01, SSRT102248, SSRT102942, SSRT102967, SUSE-SU-2015:1480-1, SUSE-SU-2015:1481-1, SUSE-SU-2015:1496-1, SUSE-SU-2016:0227-1, USN-2728-1, VIGILANCE-VUL-17798.

Description of the vulnerability

The BIND product can be configured with DNSSEC.

In this case, when this client queries BIND for information about a domain, the BIND server validates the DNSSEC key of this domain. However, when this key is malformed, an assertion error occurs in the buffer.c file because developers did not except this case, which stops the process.

This vulnerability impacts recursive DNS servers. This vulnerability impacts authoritative servers, only when an attacker can control a zone served by this server.

An attacker can therefore query BIND for a domain containing a malformed DNSSEC key, to force an assertion error in buffer.c, in order to trigger a denial of service.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability bulletin CVE-2015-3214

Linux kernel, QEMU: kernel memory read via i8254

Synthesis of the vulnerability

An attacker who controls a QEMU/KVM guest system can read a register from an emulated i8254 chip, in order to get potentially sensitive information.
Impacted products: Debian, Fedora, Linux, QEMU, RHEL, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity: 1/4.
Creation date: 26/06/2015.
Revision date: 31/08/2015.
Identifiers: CVE-2015-3214, DSA-3348-1, FEDORA-2015-13402, FEDORA-2015-13404, RHSA-2015:1507-01, RHSA-2015:1508-01, RHSA-2015:1512-01, SUSE-SU-2016:1560-1, SUSE-SU-2016:1698-1, SUSE-SU-2016:1703-1, SUSE-SU-2016:1785-1, USN-2692-1, VIGILANCE-VUL-17243.

Description of the vulnerability

The Linux kernel includes code from QEMU for hardware emulation in KVM.

The i8254 component is in charge of clock interrupts. It has write only I/O registers. However, the function pit_ioport_read() defined in "hw/timer/i8254.c" (QEMU) or "arch/x86/kvm/i8254.c" (Linux) does not block read access.

An attacker who controls a QEMU/KVM guest system can therefore read a register from an emulated i8254 chip, in order to get potentially sensitive information.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability bulletin CVE-2015-5219

NTP.org: infinite loop of sntp

Synthesis of the vulnerability

An attacker, spoofing replies of a NTP server, can generate an infinite loop in sntp of NTP.org, in order to trigger a denial of service.
Impacted products: Debian, BIG-IP Hardware, TMOS, Fedora, AIX, Meinberg NTP Server, NTP.org, openSUSE Leap, RHEL, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity: 1/4.
Creation date: 25/08/2015.
Identifiers: CVE-2015-5219, DSA-3388-1, FEDORA-2015-14212, FEDORA-2015-77bfbc1bcd, ntp_advisory4, openSUSE-SU-2016:3280-1, RHSA-2016:0780-01, RHSA-2016:2583-02, SOL60352002, SUSE-SU-2016:1311-1, SUSE-SU-2016:1471-1, USN-2783-1, VIGILANCE-VUL-17748.

Description of the vulnerability

The NTP.org product implements a sntp client.

However, if the NTP server returns a malicious packet, an infinite loop occurs in sntp.

An attacker, spoofing replies of a NTP server, can therefore generate an infinite loop in sntp of NTP.org, in order to trigger a denial of service.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability announce CVE-2015-7703

NTP.org: file creation via pidfile/driftfile

Synthesis of the vulnerability

An authenticated attacker can force NTP.org, to corrupt a file with its privileges.
Impacted products: Cisco ASR, Cisco ACE, ASA, IOS by Cisco, IOS XE Cisco, Cisco IPS, Nexus by Cisco, NX-OS, Cisco Prime DCNM, Prime Infrastructure, Cisco PRSM, Secure ACS, Cisco CUCM, Cisco Unity ~ precise, Debian, Fedora, FreeBSD, Juniper J-Series, JUNOS, Meinberg NTP Server, NetBSD, NTP.org, openSUSE, openSUSE Leap, pfSense, RHEL, Slackware, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity: 1/4.
Creation date: 25/08/2015.
Identifiers: cisco-sa-20151021-ntp, CVE-2015-5196-REJECT, CVE-2015-7703, DSA-3388-1, FEDORA-2015-14212, FEDORA-2015-77bfbc1bcd, FreeBSD-SA-15:25.ntp, JSA10711, NetBSD-SA2016-001, openSUSE-SU-2015:2016-1, openSUSE-SU-2016:1423-1, RHSA-2016:0780-01, RHSA-2016:2583-02, SSA:2015-302-03, SUSE-SU-2016:1311-1, SUSE-SU-2016:1471-1, SUSE-SU-2016:1912-1, SUSE-SU-2016:2094-1, USN-2783-1, VIGILANCE-VUL-17747.

Description of the vulnerability

The ntpd command can send configuration directives to the NTP.org server (after authentication). For example:
  ntpq -c ":config pidfile /tmp/ntp.pid"
  ntpq -c ":config driftfile /tmp/ntp.drift"

However, when the server receives this command, it overwrites the requested file

An authenticated attacker can therefore force NTP.org, to corrupt a file with its privileges.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability CVE-2015-5194

NTP.org: unreachable memory reading via logconfig

Synthesis of the vulnerability

An authenticated attacker can force a read at an invalid address in NTP.org, in order to trigger a denial of service.
Impacted products: Debian, BIG-IP Hardware, TMOS, Fedora, Meinberg NTP Server, NTP.org, RHEL, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity: 1/4.
Creation date: 25/08/2015.
Identifiers: CVE-2015-5194, DSA-3388-1, FEDORA-2015-14212, FEDORA-2015-77bfbc1bcd, RHSA-2016:0780-01, RHSA-2016:2583-02, sol02360853, SUSE-SU-2016:1311-1, SUSE-SU-2016:1471-1, SUSE-SU-2016:1912-1, SUSE-SU-2016:2094-1, USN-2783-1, VIGILANCE-VUL-17745.

Description of the vulnerability

The ntpd command can send configuration directives to the NTP.org server (after authentication). For example:
  ntpq -c ":config logconfig a"

However, when the server receives this command, it tries to read an unreachable memory area, which triggers a fatal error.

An authenticated attacker can therefore force a read at an invalid address in NTP.org, in order to trigger a denial of service.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability announce CVE-2015-6252

Linux kernel: descriptor leak via VHOST_SET_LOG_FD

Synthesis of the vulnerability

A privileged local attacker, accessing to /dev/vhost-net, can create a descriptor leak via VHOST_SET_LOG_FD on the Linux kernel, in order to trigger a denial of service.
Impacted products: Debian, Linux, openSUSE, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity: 1/4.
Creation date: 18/08/2015.
Identifiers: CERTFR-2015-AVI-411, CERTFR-2015-AVI-417, CERTFR-2015-AVI-435, CERTFR-2015-AVI-508, CERTFR-2016-AVI-050, CVE-2015-6252, DSA-3364-1, openSUSE-SU-2016:2649-1, SUSE-SU-2015:1727-1, SUSE-SU-2015:2108-1, SUSE-SU-2016:0354-1, SUSE-SU-2016:2074-1, USN-2748-1, USN-2749-1, USN-2751-1, USN-2752-1, USN-2759-1, USN-2760-1, USN-2777-1, VIGILANCE-VUL-17692.

Description of the vulnerability

The Linux kernel uses the vhost driver for virtualized environments.

The VHOST_SET_LOG_FD defines the file descriptor where errors have to be logged. However, the vhost_dev_ioctl() function does not save its value, and this descriptor is thus never closed.

A privileged local attacker, accessing to /dev/vhost-net, can therefore create a descriptor leak via VHOST_SET_LOG_FD on the Linux kernel, in order to trigger a denial of service.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability bulletin CVE-2015-0777

Xen: information disclosure via usbback

Synthesis of the vulnerability

A local attacker in a guest system can read a memory fragment of the Xen host system, in order to obtain sensitive information.
Impacted products: openSUSE, SUSE Linux Enterprise Desktop, SLES, Xen.
Severity: 1/4.
Creation date: 13/08/2015.
Identifiers: 917830, CVE-2015-0777, openSUSE-SU-2015:0713-1, openSUSE-SU-2016:0301-1, SUSE-SU-2015:0658-1, SUSE-SU-2015:1376-1, SUSE-SU-2015:1478-1, SUSE-SU-2015:1592-1, SUSE-SU-2015:1611-1, VIGILANCE-VUL-17663.

Description of the vulnerability

The Xen product uses the xen/usbback/usbback.c driver for USB exchanges.

However, the copy_buff_to_pages() function does not initialize a memory area before returning it to the user in the guest system.

A local attacker in a guest system can therefore read a memory fragment of the Xen host system, in order to obtain sensitive information.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability announce CVE-2015-3329 CVE-2015-6831 CVE-2015-6832

PHP: multiple vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of PHP.
Impacted products: Debian, BIG-IP Hardware, TMOS, openSUSE, openSUSE Leap, PHP, RHEL, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity: 3/4.
Creation date: 07/08/2015.
Revision date: 10/08/2015.
Identifiers: 66387, 69441, 69793, 69892, 69975, 70002, 70014, 70019, 70064, 70068, 70081, 70121, 70166, 70168, 70169, CERTFR-2015-AVI-330, CVE-2015-3329, CVE-2015-6831, CVE-2015-6832, CVE-2015-6833, CVE-2015-8835, CVE-2015-8867, CVE-2015-8873, CVE-2015-8874, CVE-2015-8876, CVE-2015-8877, CVE-2015-8878, CVE-2015-8879, DLA-499-1, DSA-3602-1, openSUSE-SU-2015:1628-1, openSUSE-SU-2016:1167-1, openSUSE-SU-2016:1173-1, openSUSE-SU-2016:1274-1, openSUSE-SU-2016:1357-1, openSUSE-SU-2016:1373-1, openSUSE-SU-2016:1524-1, openSUSE-SU-2016:1553-1, openSUSE-SU-2016:1688-1, RHSA-2016:0457-01, RHSA-2016:2750-01, SOL91084571, SUSE-SU-2015:1633-1, SUSE-SU-2015:1818-1, SUSE-SU-2016:1145-1, SUSE-SU-2016:1166-1, SUSE-SU-2016:1581-1, SUSE-SU-2016:1638-1, USN-2758-1, USN-2952-1, USN-2952-2, USN-3045-1, VIGILANCE-VUL-17607.

Description of the vulnerability

Several vulnerabilities were announced in PHP.

An attacker can trigger a fatal error with recursive functions, in order to trigger a denial of service. [severity:1/4; 69793, CVE-2015-8873]

Arrays which are different are seen as equivalent, which may have an impact on security. [severity:1/4; 69892]

Temporary directories are managed incorrectly. [severity:1/4; 70002, CVE-2015-8878]

An attacker can use a vulnerability in unserialize(), in order to run code. [severity:3/4; 70121, CVE-2015-8876]

The openssl_random_pseudo_bytes() function is not cryptographically secure. [severity:2/4; 70014, CVE-2015-8867]

An attacker can generate a buffer overflow in phar_set_inode, in order to trigger a denial of service, and possibly to execute code. [severity:3/4; 69441, CVE-2015-3329]

Files extracted from an archive can be stored outside the destination directory. [severity:2/4; 70019, CVE-2015-6833]

An attacker can bypass security features in SoapClient, in order to obtain sensitive information. [severity:2/4; 70081, CVE-2015-8835]

An attacker can generate a memory corruption during an unserialize of ArrayObject, in order to trigger a denial of service, and possibly to run code. [severity:3/4; 70068, CVE-2015-6832]

An attacker can force the usage of a freed memory area during an unserialize of SPLArrayObject, in order to trigger a denial of service, and possibly to run code. [severity:3/4; 70166, CVE-2015-6831]

An attacker can force the usage of a freed memory area during an unserialize of SplObjectStorage, in order to trigger a denial of service, and possibly to run code. [severity:3/4; 70168, CVE-2015-6831]

An attacker can force the usage of a freed memory area during an unserialize of SplDoublyLinkedList, in order to trigger a denial of service, and possibly to run code. [severity:3/4; 70169, CVE-2015-6831]

An attacker can trigger a fatal error in GD, in order to trigger a denial of service (VIGILANCE-VUL-19670). [severity:2/4; 66387, CVE-2015-8874]

An attacker can trigger a fatal error via odbc_bindcols, in order to trigger a denial of service. [severity:1/4; 69975, CVE-2015-8879]

An attacker can create a memory leak via gdImageScaleTwoPass, in order to trigger a denial of service (VIGILANCE-VUL-19788). [severity:1/4; 70064, CVE-2015-8877]
Complete Vigil@nce bulletin.... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about SLES: